Add L7 policies for user-agent blocking and required headers

Per-route HTTP-level blocking policies for L7 routes. Two rule types:
block_user_agent (substring match against User-Agent, returns 403)
and require_header (named header must be present, returns 403).

Config: L7Policy struct with type/value fields, added as L7Policies
slice on Route. Validated in config (type enum, non-empty value,
warning if set on L4 routes).

DB: Migration 4 creates l7_policies table with route_id FK (cascade
delete), type CHECK constraint, UNIQUE(route_id, type, value). New
l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy,
GetRouteID. Seed updated to persist policies from config.

L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates
rules in order, returns 403 on first match, no-op if empty. Composed
into the handler chain between context injection and reverse proxy.

Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy
mutation methods on ListenerState. handleL7 threads policies into
l7.RouteConfig. Startup loads policies per L7 route from DB.

Proto: L7Policy message, repeated l7_policies on Route. Three new
RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the
write-through pattern.

Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy
methods. CLI: mcproxyctl policies list/add/remove subcommands.

Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match,
header present/absent, multiple rules). 4 DB tests (CRUD, cascade,
duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation).
2 end-to-end L7 tests (UA block, required header with allow/deny).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/mc-proxy/server.go

@@ -132,6 +132,17 @@ func loadListenersFromDB(store *db.Store) ([]server.ListenerData, error) {
 		}
 		routes := make(map[string]server.RouteInfo, len(dbRoutes))
 		for _, r := range dbRoutes {
+			// Load L7 policies for this route.
+			var policies []server.L7PolicyRule
+			if r.Mode == "l7" {
+				dbPolicies, err := store.ListL7Policies(r.ID)
+				if err != nil {
+					return nil, fmt.Errorf("loading L7 policies for route %q: %w", r.Hostname, err)
+				}
+				for _, p := range dbPolicies {
+					policies = append(policies, server.L7PolicyRule{Type: p.Type, Value: p.Value})
+				}
+			}
 			routes[strings.ToLower(r.Hostname)] = server.RouteInfo{
 				Backend:           r.Backend,
 				Mode:              r.Mode,
@@ -139,6 +150,7 @@ func loadListenersFromDB(store *db.Store) ([]server.ListenerData, error) {
 				TLSKey:            r.TLSKey,
 				BackendTLS:        r.BackendTLS,
 				SendProxyProtocol: r.SendProxyProtocol,
+				L7Policies:        policies,
 			}
 		}
 		result = append(result, server.ListenerData{

cmd/mcproxyctl/policies.go

@@ -0,0 +1,114 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	mcproxy "git.wntrmute.dev/kyle/mc-proxy/client/mcproxy"
+)
+
+func policiesCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "policies",
+		Short: "Manage L7 policies",
+		Long:  "Manage L7 HTTP policies for mc-proxy routes.",
+	}
+
+	cmd.AddCommand(policiesListCmd())
+	cmd.AddCommand(policiesAddCmd())
+	cmd.AddCommand(policiesRemoveCmd())
+
+	return cmd
+}
+
+func policiesListCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "list LISTENER HOSTNAME",
+		Short: "List L7 policies for a route",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			listenerAddr := args[0]
+			hostname := args[1]
+			client := clientFromContext(cmd.Context())
+
+			ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
+			defer cancel()
+
+			policies, err := client.ListL7Policies(ctx, listenerAddr, hostname)
+			if err != nil {
+				return fmt.Errorf("listing policies: %w", err)
+			}
+
+			if len(policies) == 0 {
+				fmt.Printf("No L7 policies for %s on %s\n", hostname, listenerAddr)
+				return nil
+			}
+
+			fmt.Printf("L7 policies for %s on %s:\n", hostname, listenerAddr)
+			for _, p := range policies {
+				fmt.Printf("  %-20s  %s\n", p.Type, p.Value)
+			}
+			return nil
+		},
+	}
+}
+
+func policiesAddCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "add LISTENER HOSTNAME TYPE VALUE",
+		Short: "Add an L7 policy",
+		Long:  "Add an L7 policy to a route. TYPE is block_user_agent or require_header.",
+		Args:  cobra.ExactArgs(4),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			listenerAddr := args[0]
+			hostname := args[1]
+			policyType := args[2]
+			policyValue := args[3]
+			client := clientFromContext(cmd.Context())
+
+			ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
+			defer cancel()
+
+			if err := client.AddL7Policy(ctx, listenerAddr, hostname, mcproxy.L7Policy{
+				Type:  policyType,
+				Value: policyValue,
+			}); err != nil {
+				return fmt.Errorf("adding policy: %w", err)
+			}
+
+			fmt.Printf("Added policy: %s %q on %s/%s\n", policyType, policyValue, listenerAddr, hostname)
+			return nil
+		},
+	}
+}
+
+func policiesRemoveCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "remove LISTENER HOSTNAME TYPE VALUE",
+		Short: "Remove an L7 policy",
+		Args:  cobra.ExactArgs(4),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			listenerAddr := args[0]
+			hostname := args[1]
+			policyType := args[2]
+			policyValue := args[3]
+			client := clientFromContext(cmd.Context())
+
+			ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
+			defer cancel()
+
+			if err := client.RemoveL7Policy(ctx, listenerAddr, hostname, mcproxy.L7Policy{
+				Type:  policyType,
+				Value: policyValue,
+			}); err != nil {
+				return fmt.Errorf("removing policy: %w", err)
+			}
+
+			fmt.Printf("Removed policy: %s %q from %s/%s\n", policyType, policyValue, listenerAddr, hostname)
+			return nil
+		},
+	}
+}

cmd/mcproxyctl/root.go

@@ -58,6 +58,7 @@ func rootCmd() *cobra.Command {
 	cmd.AddCommand(healthCmd())
 	cmd.AddCommand(routesCmd())
 	cmd.AddCommand(firewallCmd())
+	cmd.AddCommand(policiesCmd())
 
 	return cmd
 }